In case C-333/22, the ECJ ruled on the right to pursue an effective legal remedy against the decisions of national Data Protection Authorities (“DPAs”) upon the legitimacy of data treatment for public purposes.
A Belgian citizen contacted the Autorité nationale de sécurité (“ANS”) to obtain a security permit for business purposes. The ANS, however, declined: since the applicant had participated to several political demonstrations, he did not fulfil the conditions required for the permit.
Unsatisfied with this answer, the Belgian citizen required the Organe de contrôle de l’information policière (“OCIP”) to verify the legitimacy of the treatment of his personal data. The OCIP replied that the ANS had undergone verification as requested by the applicant, but gave no further information on the outcome of the process.
The recurrent brought the case before the Belgian Court of Appeal, after the Belgian Court of first instance ruled out the claim as inadmissible on grounds of competence. The Court of Appeal made a reference for a preliminary ruling to the European Court of Justice under art. 267 TFUE related to the interpretation of Art. 17 of Directive 2016/80 under Art. 47 of the EU Charter on Fundamental Rights, which provides for the right to an effective legal remedy and a to fair trial under the laws of the Union.
In other words, the ECJ was required to establish whether, and how, a European citizen can challenge the decision of a DPA when, for matters of public interest, citizens only obtain minimum information on the outcome of verification.
First, the Court established that Directive 2016/80 does not exclude the right to seek an effective legal remedy. When DPAs act upon an individual request, their decision directly affects the rights of the claimant. Accordingly, he/she/they should be able to challenge such decision in a court of law pursuant to Article 47 of the EU Charter.
Moving from this interpretation, the ECJ tried to secure the right to pursue an effective legal remedy in cases when Member States keep the verification of data processing secret.
Eventually, the Court reached the following conclusion: when DPAs can only provide minimum information on the verification process, national courts should nevertheless be able to access the basic elements of the decision, namely the elements of proof, conclusion, and motivation. By relying on such insights, national courts can scrutinize the limitations of Art. 47 of the Charter by public authorities under the principle of proportionality.
The ECJ also added that Directive 2016/80 does not necessarily advocate for “minimum information” on the outcome of the verification process. On the contrary, when transparency does not constitute a threat for public interest, DPAs should provide further information to the addressees of data processing in accordance with national law. Again, the ECJ recommends that national law limits, insofar as possible, limitations on Art. 47 of the EU Charter by establishing that limitations on the right to access DPA decisions be exceptional and subject to a scrutiny by national courts.
This judgement might constitute a milestone for the future development of data protection law in the international regulatory framework.
Firstly, the interpretation of Directive 2016/80 by the ECJ requires that Member States provide DPAs with the power to access, verify and regulate data processing at national level, because the absence of third-party control undermines the right to seek an effective legal remedy. Under this interpretation, D.L. 139/2021 (Italy) might be found to be in breach of EU law, because it allows DPA control on data processing for public interests only after the data processor has made a first screening on the possible risks related to the functioning of the system. In this scenario, public authorities can underestimate the impact of inherent risks, thus preventing the DPA from accessing and regulating data processing prior to its use in law enforcement activities.
Secondly, this ruling emphasizes the pivotal role of national courts in assessing violations of data protection law. This perspective might also transfer to other aspects of data protection that are not expressly related to privacy infringements, but rather to a broader concept of fairness in automated data processing. In other words, DPA processor and controllers might also be required to prove to national courts that their systems limit the risks of unfair or inaccurate outcomes in automated risk analysis. If case C-333/22 was considered to extend to this scenario, the reasoning provided by the ECJ implicitly emphasizes the need for a general requirement for extensive human intervention, risk management, and explainability in algorithmic data analysis. If judges are required to access the outcome of the verification process, and to consider whether data processing was overall fair,then both the Data controller and DPA are required to understand, detect, and properly disclose the global functioning of the AI models applied to data processing.
To read the judgment, please click on the following link.